Sunday, February 10, 2008

Cisco SDM (Security Device Manager)

What is SDM?
Cisco SDM is short to acronym that stands for Security Device Manager. Cisco at the first time want to come up with a way to secure Cisco devices by having a little walkthrough using wizard without having all the knowledge of security to lock a Cisco device down. Later on they keep adding features to this SDM like monitor, see the traffic all that kind of stuffs but it still called SDM.

It is web based, a java based applicaton and it works in all mainline Cisco Routers.
What it means by mainline is mainstream routers that usually used by organizations like the 2800, 2600, 3600, 2800, 1800, 800 series. The non mainstream one are the extremely advanced series one like in Service Providers. By that point they usually won't need GUI and will prefer console one or in old routers. The SDM is designed to allow IOS configuration without extensive knowledge.


How to get SDM?


SDM is typically shipped with all Cisco routers on the flash when you buy it from Cisco or Cisco Resellers, so whenever you point you browser to that Cisco router it will automatically open up the SDM. But if it doesn't come up with the SDM you can actually get it at http://www.cisco.com/go/sdm and available free of charge.

SDM can be installed on your computer/PC, on the router in the flash, or on both.
If you installed ONLY it on the flash of the router, you can open the SDM from other PC that doesn't have the SDM and later the PC will download the SDM from the router and start running it from there. The disadvantage of doing that is anything that running from the flash of the router is going to be slow and will take longer to load up, not as smooth as the PC.
If you installed the SDM ONLY on the PC and not on the flash of router you actually run the program locally from PC. Then you can point to any IP address of any router that you want to manage without have to install SDM on the router and this is very cool options.

How to configure a Cisco router to support SDM?
  1. Put a domain name
  2. Generate Encryption Keys (used in SSH and HTTPS)
  3. Turn on the HTTP/HTTPS Servers & telnet/SSH for the router
  4. Create a privilege level 15 user account
  5. Enabling the telnet/SSH
  6. Configure vty & http access ports for privilege level 15 and to use the local user database
  7. Install java on your PC and access the router using a web browser (if SDM is installed on router) or open up the Cisco SDM software (if SDM is installed on PC)
In order to generate the cryptography / encryption keys, first we must put domain name
R1(config)#ip domain-name [domain name]
Generate encryption RSA keys, RSA is a key that is used to secure SSH and HTTPS and in this example I generate 1024 bit encryption
R1(config)#crypto key generate rsa general-keys ... How many buts in the mudulus [512]: 1024 % Generating 1024 ...
Turn on the HTTP (80)/HTTPS (443) Servers & telnet/SSH for the router
R1(config)#ip http server
R1(config)#ip http secure-server
Create a privilege level 15 user account, the highest (also called the enable mode)
R1(config)#username [name] privilege 15 password [password | secret]
Enabling the telnet/SSH, configure vty & http access ports for privilege level 15 and to use the local user database
R1(config)#line vty 0 4
R1(config)#privilege level 15
R1(config)#login local
R1(config-line)#transport input [all | none | telnet | ssh]
(Optional) Enable local logging to support the log monitoring function:

Router(config)# logging buffered 51200 warning



Open up the SDM


Access the router using a web browser (if SDM is installed on router) or open up the Cisco SDM software (if SDM is installed on PC) by navigating:
Start Menu>All Programs>Cisco Systems>Cisco SDM> Cisco SDM


An SDM launcher will come up
















A window for level 15 user authentication will come up

























When loading, again a window for authentication will come up but this one is from the java applicaton




















The SDM will be looked like below


















One good features is enabling the commands preview from Edit Menu>Preferences













After enabling the commands preview, a window of commands preview will be popped up if we make a change to the configuration like below

Sunday, February 3, 2008

Cisco Router Simulator with Dynamips / Dynagen

I will explain how to emulate our PC in order to emulate Cisco Router hardware and run virtual IOS processes on our local desktop.

What is Dynamips?
Dynamips is an IOS virtualization program that is similar to half VMware on desktop in order to simulate different hardware platforms.
Dynamips is different than traditional simulator e.g. Boson, Packet Tracer, Router eSim.
Dynamips doesn't emulate the IOS, it emulates the router hardware on PC, boot IOS images into different logical router processes, and they're gonna be able to talk with each other with whatever protocols in that particular IOS images.

In order to run dynamips:
-Windows / Mac Os / Linux
-Dynamips "hypervisor" that used to emulate router hardware
-Dynagen that is used to create configuration file and booting the hypervisor processes
-Dynamips included in Dynagen installer packare
-Actual IOS images
-Any Terminal emulation software like HyperTerminal, SecureCRT, Tera Term, etc

Windows (click here for Video Tutorial)
1. install winpcap, in order to support the network interfaces card to talk to the dynamips processes
2. install dynagen that includes the dynamips hypervisor
3. start Dynamips Server
4. run the *.net file config lab

Linux (click here for Video Tutorial)
1. Download dynagen using wget and extract using tar zxvf it to /opt/dynamips directory
2. Change directory to dynagen, check the README.txt to see which version of dynamips is required then go to dynamips blog to download the required version of dynamips.
3. Download the required version of dynamips using wget also into /opt/dynamips directory
4. Use 'chmod 755' command to make the dynamips binary executable
5. Navigate to /usr/bin directory to create symbolic links for the dynamips and dynagen program
6. Create a symbolic link to dynamips program give it a name e.g. dynamips. This will allow you to just type dynamips from anywhere to run the program. Here is the example:
ln -s /opt/dynamips/dynamips-0.2.7.-RC2-x86.bin dynamips
7. Create a symbolic link to dynagen program give it a name e.g. dynagen. This will allow you to just type dynagen from anywhere to run the program. Here is the example:
ln -s /opt/dynamips/dynagen-0.9.1/dynagen dynagen
8. Create a directory for IOS images and move IOS image to this directory.
mkdir /opt/dynamips/images
Configure *.net dynagen lab file that is gonna be used to configure what individual router instances we gonna run, what interfaces they have and what IOS image that they are gonna be running.
In sample_lab there are templates that can be changed. For example we want to try the simple1 lab inside simple1 directory with the name of configuration file is simple1.net. Change the bold text (c7200-adventerprisek9-mz.124-4.T1.bin) below becomes your IOS image file name.

Windows:
# Simple lab

[localhost]

[[7200]]
image = \Program Files\Dynamips\images\c7200-adventerprisek9-mz.124-4.T1.bin
# On Linux / Unix use forward slashes:
# image = /opt/7200-images/
c7200-adventerprisek9-mz.124-4.T1.bin
npe = npe-400
ram = 160

[[ROUTER R1]]
s1/0 = R2 s1/0

[[router R2]]
# No need to specify an adapter here, it is taken care of
# by the interface specification under Router R1


Linux:
# Simple lab

[localhost]

[[7200]]
# image = \Program Files\Dynamips\images\c7200-adventerprisek9-mz.124-4.T1.bin
# On Linux / Unix use forward slashes:
image = /opt/7200-images/
c7200-adventerprisek9-mz.124-4.T1.bin
npe = npe-400
ram = 256

[[ROUTER R1]]
s1/0 = R2 s1/0

[[router R2]]
# No need to specify an adapter here, it is taken care of
# by the interface specification under Router R1



Start Dynamips Server (launch the Hypervisor process).
Windows: Double click the 'Dynamips Server shortcut' usually on desktop

Linux
: dynamips -H 7200 &
Note: The '&' character instructs the process in the background.









Once we have start the Dynamips Server, then we initiate the configured *.net config file lab. In this example I try to run simple.net lab. Then a new window will popped up.

Windows
: Double click the 'simple1.net' file usually in C:\Program Files\Dynamips\sample_labs\simple1

Linux
: dynagen simple1.net





List the available devices in the lab using list command.

Windows: Connect to a router using telnet [device name] command e.g. telnet R1
Linux: Connect to router using telnet client such as putty on port 2000

A new window for the router will came up.


























Windows: You will see some error messages like below
% Crashinfo may not be recovered at bootflash crashinfo % This file system device reports an error
Linux: You might not have this error messages.

Windows: To fix this error we need to format the bootflash using command: format bootflash:
After finish formatting the bootflash, we need to make an adjustment to the idle-pc parameter in order to drop the CPU utilization on PC.

Now close the R1 telnet window and go back to console with a window title "Dynagen"



To get idle-pc value use command:
idlepc get [router name]
e.g. idlepc get R1
Choose the value marked with "*". If there is no "*" mark in first attempt, just try again the command idlepc get R1.

After applied the idlepc value, don't forget to save the idlepc value using command:
idlepc save [router name] db


You will notice the drop in CPU utilization since the idle-pc value already changed.

OK! Now we have a virtual Wide Area Network with Cisco Routers!

Additional information and materials:

Cisco Certified Voice Professional (CCVP)

I see there are a lot of materials in my office now to learn about Voice-Over-IP solutions. In addition, my first task now is to help a team that develops Advanced Technology Demo Units Voice and Unified Communications plus Cisco IP Interoperability and Collaboration System (IPICS). Besides, one of my team just finished her Bachelor's Thesis about IP Telephony and Cisco Unified Communications Manager (CallManager), maybe she can explain or teach me something regarding to IP Telephony.

Then, my friend told me that maybe I should take CCVP rather than CCNP since the condition and environment of my office can support me in pursuing CCVP.

The CCVP (Cisco Certified Voice Professional) validates a network professional's ability to implement and operate Cisco Unified Communications solutions in single site and multi-site deployments. Individuals who hold a CCVP certification can help create an IP telephony solution that is transparent, scalable, and manageable. The CCVP curriculum focuses on Cisco Unified CallManager, voice gateways and gatekeepers, switches, Unified IP Phones, and skills to secure the voice communications and ensure voice quality of service. Candidates must pass five secure, proctored certification-quality exams to become a Cisco Certified Voice Professional (CCVP). The prerequisite for the Cisco Certified Voice Professional (CCVP) is CCNA. As voice technologies continue to grow in importance Cisco helps you keep pace with a rapidly changing world.

The CCVP provides network professionals with the knowledge, skills, and credentials necessary
to design and implement end-to-end Cisco IP Telephony solutions. The certification content focuses on Cisco Call Manager, QoS, gateways, gatekeepers, IP phones, voice applications and utilities on Cisco routers and Catalyst switches..

Required Exam(s)
Recommended Training
642-642 QoS Quality of Service (QoS)
642-432 CVOICE Cisco Voice over IP (CVOICE)
AND
Cisco Voice over IP Fundamentals (CVF)
642-426 TUC Troubleshooting Cisco Unified Communications Systems (TUC)
642-444 CIPT 4.1


OR


642-445 CIPT 5.0
Cisco IP Telephony Part 1 (CIPT1 4.1)
AND
Cisco IP Telephony Part 2 (CIPT2 4.1)

OR

Cisco IP Telephony Part 1 (CIPT1 5.0)
AND
Cisco IP Telephony Part 2 (CIPT2 5.0)
642-453 GWGK Implementing Cisco Voice Gateways and Gatekeepers (GWGK)

So the steps that I should take are Cisco Voice Fundamentals, a 6-hour e-learning course to establish a strong foundation in VoIP and PSTN fundamentals, then CVOICE, followed by CIPT1, GWGK, or QoS in any order. CIPT2 should be completed only after completing CIPT1.

The final course in the series, IP Telephony Troubleshooting is best taken after having completed the other CCVP courses in the curriculum. Those will help me better understand how to install, configure and deploy the various voice products and technologies tested in the CCVP exams.

From the information that I got, there will be 5 exams to pass:
  • CVOICE is the foundation for it all (the most useful exam)
  • QoS is not much based on anything; but you need to have some background so it is better after CVOICE (the most interesting one)
  • GWGK is CVOICE2 (the hardest to master)
  • TUC has some parts built on CIPT knowledge (the easiest to do)
  • CIPT is a lot better after GWGK (the most boring)
I will think about CCVP and CCNP, which one should I choose for now...

Saturday, February 2, 2008

Cisco 1841 Router

Yesterday, 2 Cisco 1841 Routers just arrived to my office. For the first time, I don't see any differences with the other Cisco Routers.
It has 2 Integrated 10/100 Fast Ethernet ports and 2 WAN Interface Card slots.
Then I look back to the box. Hey! There are additional interface cards plus antennas and those things are for the WAN slots.

They are Cisco 3G Wireless WAN High-Speed WAN Interface Card and Cisco HWIC-AP WLAN Module.

The 3G over wireless provides broadband connectivity over the cellular networks.3G Wireless WAN HWICs is the first enterprise class 3G WAN solution. The 3G Wireless WAN HWICs support the following 3G and 2.5G technologies:
  • HWIC-3G-CDMA supports 1xEV-DO Rev A, 1x EV-DO Rev 0, and 1xRTT Up to 3.2Mbps
  • HWIC-3G-GSM supports HSDPA, UMTS, EDGE, and GPRS Up to 3.6Mbps
Then I grab a console cable and connect it to my laptop and here are the outputs

Router#sh flash
-#- --length-- -----date/time------ path
1 33688548 Feb 1 2008 16:15:20 +00:00 c1841-advipservicesk9-mz.124-15.T3.bin

30162944 bytes available (33689600 bytes used)

Router#sh int sta
Interface FastEthernet0/0 is disabled

Interface FastEthernet0/1 is disabled

Cellular0/0/0
Switching path Pkts In Chars In Pkts Out Chars Out
Processor 0 0 0 0
Route cache 0 0 0 0
Total 0 0 0 0
Interface Dot11Radio0/1/0 is disabled

Router#sh ver
Cisco IOS Software, 1841 Software (C1841-ADVIPSERVICESK9-M), Version 12.4(15)T3,
RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by Cisco Systems, Inc.
Compiled Thu 24-Jan-08 13:53 by prod_rel_team

ROM: System Bootstrap, Version 12.3(8r)T8, RELEASE SOFTWARE (fc1)

Router uptime is 1 minute
System returned to ROM by power-on
System image file is "flash:c1841-advipservicesk9-mz.124-15.T3.bin"


This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

Cisco 1841 (revision 4.1) with 234496K/27648K bytes of memory.
Processor board ID FHK090521G0
2 FastEthernet interfaces
1 terminal line
1 Virtual Private Network (VPN) Module
1 802.11 Radio
1 Cellular interface
DRAM configuration is 64 bits wide with parity disabled.
191K bytes of NVRAM.
62592K bytes of ATA CompactFlash (Read/Write)


Ok, I can try NTS connection using this router to connect to the Internet since NTS already supports 3G. But I don't know whether Lippotel/NTS already covered my area besides my pearl is out of battery and I don't bring my charger. Hmmm, maybe I'll try it on Monday. :D

More Information: